- Basic Security Mode (BSM) Auditing
The im_bsm module collects logs generated by the BSM auditing system.
- Custom Programs
The im_exec module allows log data to be collected from custom external programs.Example 194. Using an External Command
This example uses the
tailcommand to read from a file.Note
The im_file module should be used to read log messages from files. This example only demonstrates the use of the im_exec module.
- DNS Monitoring
Logs can be collected from BIND 9.
- File Integrity Monitoring
Example 195. Monitoring File Integrity
This example monitors files in the
/srvdirectories, generating events when files are modified or deleted. Files ending in
.bakare excluded from the watch list.
Logs from the kernel can be collected directly with the im_kernel module.Note
The system logger may need to be disabled or reconfigured to collect logs with im_kernel. To completely disable syslogd on FreeBSD, run
service syslogd onestopand
sysrc syslogd_enable=NO.Example 196. Collecting Kernel Logs
This configuration reads events from the kernel.nxlog.conf
1 2 3
<Input kernel> Module im_kernel </Input>
- Local Syslog
Messages written to
/dev/logcan be collected with the im_uds module. Events written to file in Syslog format can be collected with im_file. In both cases, the xm_syslog module can be used to parse the events. See the Linux system logs and Collecting and Parsing Syslog sections for more information.Example 197. Reading Syslog Messages From File
This example reads Syslog messages from
/var/log/messagesand parses them with the parse_syslog() procedure.
- Log Files
The im_file module can be used to collect events from log files.
- Process Accounting
The im_acct module can be used to gather details about which owner (user and group) runs what processes.